com.nimbusds.oauth2.sdk.auth.JWTAuthentication Maven / Gradle / Ivy
/*
* oauth2-oidc-sdk
*
* Copyright 2012-2016, Connect2id Ltd and contributors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use
* this file except in compliance with the License. You may obtain a copy of the
* License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed
* under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package com.nimbusds.oauth2.sdk.auth;
import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import com.nimbusds.oauth2.sdk.util.StringUtils;
import com.nimbusds.oauth2.sdk.util.URLUtils;
import java.util.*;
/**
* Base abstract class for JSON Web Token (JWT) based client authentication at
* the Token endpoint.
*
* Related specifications:
*
*
* - OAuth 2.0 (RFC 6749), section 3.2.1.
*
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
* Authorization Grants (RFC 7523).
*
- OpenID Connect Core 1.0, section 9.
*
*/
public abstract class JWTAuthentication extends ClientAuthentication {
/**
* The expected client assertion type, corresponding to the
* {@code client_assertion_type} parameter. This is a URN string set to
* "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
*/
public static final String CLIENT_ASSERTION_TYPE =
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
/**
* The client assertion, corresponding to the {@code client_assertion}
* parameter. The assertion is in the form of a signed JWT.
*/
private final SignedJWT clientAssertion;
/**
* The JWT authentication claims set for the client assertion.
*/
private final JWTAuthenticationClaimsSet jwtAuthClaimsSet;
/**
* Parses the client identifier from the specified signed JWT that
* represents a client assertion.
*
* @param jwt The signed JWT to parse. Must not be {@code null}.
*
* @return The parsed client identifier.
*
* @throws IllegalArgumentException If the client identifier couldn't
* be parsed.
*/
private static ClientID parseClientID(final SignedJWT jwt) {
String subjectValue;
String issuerValue;
try {
JWTClaimsSet jwtClaimsSet = jwt.getJWTClaimsSet();
subjectValue = jwtClaimsSet.getSubject();
issuerValue = jwtClaimsSet.getIssuer();
} catch (java.text.ParseException e) {
throw new IllegalArgumentException(e.getMessage(), e);
}
if (subjectValue == null)
throw new IllegalArgumentException("Missing subject in client JWT assertion");
if (issuerValue == null)
throw new IllegalArgumentException("Missing issuer in client JWT assertion");
return new ClientID(subjectValue);
}
/**
* Creates a new JSON Web Token (JWT) based client authentication.
*
* @param method The client authentication method. Must not be
* {@code null}.
* @param clientAssertion The client assertion, corresponding to the
* {@code client_assertion} parameter, in the
* form of a signed JSON Web Token (JWT). Must
* be signed and not {@code null}.
*
* @throws IllegalArgumentException If the client assertion is not
* signed or doesn't conform to the
* expected format.
*/
protected JWTAuthentication(final ClientAuthenticationMethod method,
final SignedJWT clientAssertion) {
super(method, parseClientID(clientAssertion));
if (! clientAssertion.getState().equals(JWSObject.State.SIGNED))
throw new IllegalArgumentException("The client assertion JWT must be signed");
this.clientAssertion = clientAssertion;
try {
jwtAuthClaimsSet = JWTAuthenticationClaimsSet.parse(clientAssertion.getJWTClaimsSet());
} catch (Exception e) {
throw new IllegalArgumentException(e.getMessage(), e);
}
}
/**
* Gets the client assertion, corresponding to the
* {@code client_assertion} parameter.
*
* @return The client assertion, in the form of a signed JSON Web Token
* (JWT).
*/
public SignedJWT getClientAssertion() {
return clientAssertion;
}
/**
* Gets the client authentication claims set contained in the client
* assertion JSON Web Token (JWT).
*
* @return The client authentication claims.
*/
public JWTAuthenticationClaimsSet getJWTAuthenticationClaimsSet() {
return jwtAuthClaimsSet;
}
@Override
public Set getFormParameterNames() {
return Collections.unmodifiableSet(new HashSet<>(Arrays.asList("client_assertion", "client_assertion_type", "client_id")));
}
/**
* Returns the parameter representation of this JSON Web Token (JWT)
* based client authentication. Note that the parameters are not
* {@code application/x-www-form-urlencoded} encoded.
*
* Parameters map:
*
*
* "client_assertion" = [serialised-JWT]
* "client_assertion_type" = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
*
*
* @return The parameters map, with keys "client_assertion" and
* "client_assertion_type".
*/
public Map> toParameters() {
Map> params = new HashMap<>();
try {
params.put("client_assertion", Collections.singletonList(clientAssertion.serialize()));
} catch (IllegalStateException e) {
throw new SerializeException("Couldn't serialize JWT to a client assertion string: " + e.getMessage(), e);
}
params.put("client_assertion_type", Collections.singletonList(CLIENT_ASSERTION_TYPE));
return params;
}
@Override
public void applyTo(final HTTPRequest httpRequest) {
if (httpRequest.getMethod() != HTTPRequest.Method.POST)
throw new SerializeException("The HTTP request method must be POST");
ContentType ct = httpRequest.getEntityContentType();
if (ct == null)
throw new SerializeException("Missing HTTP Content-Type header");
if (! ct.matches(ContentType.APPLICATION_URLENCODED))
throw new SerializeException("The HTTP Content-Type header must be " + ContentType.APPLICATION_URLENCODED);
Map> params;
try {
params = new LinkedHashMap<>(httpRequest.getBodyAsFormParameters());
} catch (ParseException e) {
throw new SerializeException(e.getMessage(), e);
}
params.putAll(toParameters());
httpRequest.setBody(URLUtils.serializeParameters(params));
}
/**
* Ensures the specified parameters map contains an entry with key
* "client_assertion_type" pointing to a string that equals the expected
* {@link #CLIENT_ASSERTION_TYPE}. This method is intended to aid
* parsing of JSON Web Token (JWT) based client authentication objects.
*
* @param params The parameters map to check. The parameters must not be
* {@code null} and
* {@code application/x-www-form-urlencoded} encoded.
*
* @throws ParseException If expected "client_assertion_type" entry
* wasn't found.
*/
protected static void ensureClientAssertionType(final Map> params)
throws ParseException {
final String clientAssertionType = MultivaluedMapUtils.getFirstValue(params, "client_assertion_type");
if (clientAssertionType == null)
throw new ParseException("Missing client_assertion_type parameter");
if (! clientAssertionType.equals(CLIENT_ASSERTION_TYPE))
throw new ParseException("Invalid client_assertion_type parameter, must be " + CLIENT_ASSERTION_TYPE);
}
/**
* Parses the specified parameters map for a client assertion. This
* method is intended to aid parsing of JSON Web Token (JWT) based
* client authentication objects.
*
* @param params The parameters map to parse. It must contain an entry
* with key "client_assertion" pointing to a string that
* represents a signed serialised JSON Web Token (JWT).
* The parameters must not be {@code null} and
* {@code application/x-www-form-urlencoded} encoded.
*
* @return The client assertion as a signed JSON Web Token (JWT).
*
* @throws ParseException If a "client_assertion" entry couldn't be
* retrieved from the parameters map.
*/
protected static SignedJWT parseClientAssertion(final Map> params)
throws ParseException {
final String clientAssertion = MultivaluedMapUtils.getFirstValue(params, "client_assertion");
if (clientAssertion == null)
throw new ParseException("Missing client_assertion parameter");
try {
return SignedJWT.parse(clientAssertion);
} catch (java.text.ParseException e) {
throw new ParseException("Invalid client_assertion JWT: " + e.getMessage(), e);
}
}
/**
* Parses the specified parameters map for an optional client
* identifier. This method is intended to aid parsing of JSON Web Token
* (JWT) based client authentication objects.
*
* @param params The parameters map to parse. It may contain an entry
* with key "client_id" pointing to a string that
* represents the client identifier. The parameters must
* not be {@code null} and
* {@code application/x-www-form-urlencoded} encoded.
*
* @return The client identifier, {@code null} if not specified.
*/
protected static ClientID parseClientID(final Map> params) {
String clientIDString = MultivaluedMapUtils.getFirstValue(params, "client_id");
return StringUtils.isNotBlank(clientIDString) ? new ClientID(clientIDString) : null;
}
/**
* Parses the specified HTTP request for a JSON Web Token (JWT) based
* client authentication.
*
* @param httpRequest The HTTP request to parse. Must not be
* {@code null}.
*
* @return The JSON Web Token (JWT) based client authentication.
*
* @throws ParseException If a JSON Web Token (JWT) based client
* authentication couldn't be retrieved from the
* HTTP request.
*/
public static JWTAuthentication parse(final HTTPRequest httpRequest)
throws ParseException {
httpRequest.ensureMethod(HTTPRequest.Method.POST);
Map> params = httpRequest.getBodyAsFormParameters();
JWSAlgorithm alg = parseClientAssertion(params).getHeader().getAlgorithm();
if (ClientSecretJWT.supportedJWAs().contains(alg))
return ClientSecretJWT.parse(params);
else if (PrivateKeyJWT.supportedJWAs().contains(alg))
return PrivateKeyJWT.parse(params);
else
throw new ParseException("Unsupported signed JWT algorithm: " + alg);
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy